App Control: Unable to remove Acceleration on Splunk Dashboards
search cancel

App Control: Unable to remove Acceleration on Splunk Dashboards

book

Article ID: 286936

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Lightning bolt shows next to searches
  • Disabling Accelerations displays an error that the search is not Accelerated

Environment

  • App Control Server: All Versions (Formerly CB Protection)
  • Cb Protection App for Splunk: Version 2.0
  • Splunk Enterprise: 6.6, 7.0, 7.1, 7.2 and 7.3

Cause

This is due to an auto_summarize option within the saved searches

Resolution

  1. Navigate on the splunk server to:  
    \Splunk\etc\apps\bit9-secapp\default
  2. Edit the file SavedSearches.conf
  3. replace each instance of: 
    auto_summarize = 1
  4. With: 
    auto_summarize = 0
  5. Restart the splunk services
Powered by Wolken Software